Shodan
Vulnerabilities
Vulnerable Software
Expressionengine:  >> Expressionengine  >> 1.6.7  Security Vulnerabilities
CVE-2024-38454
ExpressionEngine before 7.4.11 allows XSS.
CVSS Score
6.1
EPSS Score
0.001
Published
2024-06-16
CVE-2023-22953
In ExpressionEngine before 7.2.6, remote code execution can be achieved by an authenticated Control Panel user.
CVSS Score
8.8
EPSS Score
0.015
Published
2023-02-09
CVE-2020-8242
Unsanitized user input in ExpressionEngine <= 5.4.0 control panel member creation leads to an SQL injection. The user needs member creation/admin control panel access to execute the attack.
CVSS Score
7.2
EPSS Score
0.005
Published
2022-02-18
CVE-2021-33199
In Expression Engine before 6.0.3, addonIcon in Addons/file/mod.file.php relies on the untrusted input value of input->get('file') instead of the fixed file names of icon.png and icon.svg.
CVSS Score
9.8
EPSS Score
0.004
Published
2021-08-12
CVE-2021-27230
ExpressionEngine before 5.4.2 and 6.x before 6.0.3 allows PHP Code Injection by certain authenticated users who can leverage Translate::save() to write to an _lang.php file under the system/user/language directory.
CVSS Score
8.8
EPSS Score
0.03
Published
2021-03-15
CVE-2020-13443
ExpressionEngine before 5.3.2 allows remote attackers to upload and execute arbitrary code in a .php%20 file via Compose Msg, Add attachment, and Save As Draft actions. A user with low privileges (member) is able to upload this. It is possible to bypass the MIME type check and file-extension check while uploading new files. Short aliases are not used for an attachment; instead, direct access is allowed to the uploaded files. It is possible to upload PHP only if one has member access, or registration/forum is enabled and one can create a member with the default group id of 5. To exploit this, one must to be able to send and compose messages (at least).
CVSS Score
8.8
EPSS Score
0.009
Published
2020-06-24
CVE-2018-17874
ExpressionEngine before 4.3.5 has reflected XSS.
CVSS Score
6.1
EPSS Score
0.003
Published
2018-10-01
CVE-2014-5387
Multiple SQL injection vulnerabilities in EllisLab ExpressionEngine before 2.9.1 allow remote authenticated users to execute arbitrary SQL commands via the (1) column_filter or (2) category[] parameter to system/index.php or the (3) tbl_sort[0][] parameter in the comment module to system/index.php.
CVSS Score
6.5
EPSS Score
0.005
Published
2014-11-04


Products
Pricing
Contact Us

Shodan ® - All rights reserved